Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

advance mobsf to also parse exisiting unittestfile #9563

Merged
merged 10 commits into from
Mar 1, 2024
Merged

advance mobsf to also parse exisiting unittestfile #9563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
acfbb02
advance mobsf to also parse exisiting unittestfile
manuel-sommer Feb 16, 2024
1746a8a
dupe_key update
manuel-sommer Feb 16, 2024
21a947f
fix unittests
manuel-sommer Feb 16, 2024
0a3c914
flake8
manuel-sommer Feb 16, 2024
fc4078d
ruff linter
manuel-sommer Feb 16, 2024
f2858a8
remformat unittest files
manuel-sommer Feb 18, 2024
d5ea2ba
resolve todo
manuel-sommer Feb 18, 2024
23fd2fa
resolve another todo
manuel-sommer Feb 18, 2024
67e1354
remove accidently added file
manuel-sommer Feb 18, 2024
a2bcf7c
more unittests to retrigger pipeline
manuel-sommer Feb 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions dojo/tools/mobsf/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,16 @@ def get_findings(self, filename, test):
}

mobsf_findings.append(mobsf_item)

if isinstance(data, list):
for finding in data:
mobsf_item = {
"category": finding["category"],
"title": finding["name"],
"severity": finding["severity"],
"description": finding["description"] + "\n" + "**apk_exploit_dict:** " + str(finding["apk_exploit_dict"]) + "\n" + "**line_number:** " + str(finding["line_number"]),
"file_path": finding["file_object"]
}
mobsf_findings.append(mobsf_item)
for mobsf_finding in mobsf_findings:
title = mobsf_finding["title"]
sev = self.getCriticalityRating(mobsf_finding["severity"])
Expand All @@ -343,8 +352,11 @@ def get_findings(self, filename, test):
)
if mobsf_finding["file_path"]:
finding.file_path = mobsf_finding["file_path"]

dupe_key = sev + title
dupe_key = sev + title + description + mobsf_finding["file_path"]
else:
dupe_key = sev + title + description
if mobsf_finding["category"]:
dupe_key += mobsf_finding["category"]
if dupe_key in dupes:
find = dupes[dupe_key]
if description is not None:
Expand Down Expand Up @@ -372,12 +384,14 @@ def getSeverityForPermission(self, status):
# Criticality rating
def getCriticalityRating(self, rating):
criticality = "Info"
if rating == "Good":
if rating.lower() == "good":
criticality = "Info"
if rating == "Warning":
elif rating.lower() == "warning":
criticality = "Low"
elif rating.lower() == "vulnerability":
criticality = "Medium"
else:
criticality = rating.capitalize()
criticality = rating.lower().capitalize()
return criticality

def suite_data(self, suites):
Expand Down
9,492 changes: 9,491 additions & 1 deletion unittests/scans/mobsf/allsafe.json
View file
Open in desktop

Large diffs are not rendered by default.

6,089 changes: 6,088 additions & 1 deletion unittests/scans/mobsf/damnvulnrablebank.json
View file
Open in desktop

Large diffs are not rendered by default.

17,671 changes: 17,670 additions & 1 deletion unittests/scans/mobsf/report2.json
View file
Open in desktop

Large diffs are not rendered by default.

44 changes: 33 additions & 11 deletions unittests/tools/test_mobsf_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ def test_parse_file(self):
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(22, len(findings))
self.assertEqual(68, len(findings))
item = findings[0]
self.assertEqual('android.permission.WRITE_EXTERNAL_STORAGE', item.title)
self.assertEqual('High', item.severity)
Expand All @@ -25,10 +25,10 @@ def test_parse_file(self):
self.assertEqual('This shared object does not have RELRO enabled', item.title)
self.assertEqual('High', item.severity)
self.assertEqual('lib/armeabi-v7a/libdivajni.so', item.file_path)
self.assertEqual(7, item.nb_occurences)
self.assertEqual(1, item.nb_occurences)
item = findings[17]
self.assertEqual('Local File I/O Operations', item.title)
self.assertEqual('Info', item.severity)
self.assertEqual('This shared object does not have a stack canary value added to the stack', item.title)
self.assertEqual('High', item.severity)
self.assertEqual(1, item.nb_occurences)

def test_parse_file2(self):
Expand All @@ -40,8 +40,10 @@ def test_parse_file2(self):
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(0, len(findings))
# TODO add more checks dedicated to this file
self.assertEqual(1022, len(findings))
item = findings[1]
self.assertEqual('Potential API Key found', item.title)
self.assertEqual('Info', item.severity)

def test_parse_file_3_1_9_android(self):
test = Test()
Expand All @@ -52,8 +54,19 @@ def test_parse_file_3_1_9_android(self):
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(77, len(findings))
# TODO add more checks dedicated to this file
item = findings[1]
self.assertEqual('android.permission.ACCESS_GPS', item.title)
self.assertEqual('High', item.severity)
item = findings[4]
self.assertEqual('android.permission.ACCESS_LOCATION', item.title)
self.assertEqual('High', item.severity)
item = findings[7]
self.assertEqual('android.permission.READ_PHONE_STATE', item.title)
self.assertEqual('High', item.severity)
item = findings[70]
self.assertEqual('HTTPS Connection', item.title)
self.assertEqual('Info', item.severity)
self.assertEqual(1, item.nb_occurences)

def test_parse_file_3_1_9_ios(self):
test = Test()
Expand All @@ -65,7 +78,16 @@ def test_parse_file_3_1_9_ios(self):
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(11, len(findings))
# TODO add more checks dedicated to this file
item = findings[2]
self.assertEqual('NSLocationAlwaysUsageDescription', item.title)
self.assertEqual('High', item.severity)
item = findings[3]
self.assertEqual('NSLocationWhenInUseUsageDescription', item.title)
self.assertEqual('High', item.severity)
item = findings[10]
self.assertEqual('App is compiled with Automatic Reference Counting (ARC) flag. ARC is a compiler feature that provides automatic memory management of Objective-C objects and is an exploit mitigation mechanism against memory corruption vulnerabilities.', item.title)
self.assertEqual('Info', item.severity)
self.assertEqual(1, item.nb_occurences)

def test_parse_file_mobsf_3_7_9(self):
test = Test()
Expand Down Expand Up @@ -102,7 +124,7 @@ def test_parse_allsafe(self):
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(55, len(findings))
self.assertEqual(93, len(findings))

def test_parse_damnvulnrablebank(self):
test = Test()
Expand All @@ -113,4 +135,4 @@ def test_parse_damnvulnrablebank(self):
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(39, len(findings))
self.assertEqual(80, len(findings))
Loading